Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-30997 | IA-02.02.01 | SV-41043r2_rule | COAS-1 COAS-2 COBR-1 CODB-1 CODB-2 CODB-3 CODP-1 CODP-2 CODP-3 COEB-1 COEB-2 COED-1 COED-2 COEF-1 COEF-2 COMS-1 COMS-2 COPS-1 COPS-2 COPS-3 COSP-1 COSP-2 COSW-1 COTR-1 DCAR-1 DCHW-1 | Medium |
Description |
---|
Failure to develop a COOP and test it periodically can result in the partial or total loss of operations and INFOSEC. A contingency plan is necessary to reduce mission impact in the event of system compromise or disaster. |
STIG | Date |
---|---|
Traditional Security | 2013-07-11 |
Check Text ( C-39664r3_chk ) |
---|
Check there is a written COOP plan for inspected systems: 1. For Mission Assurance Category (MAC) III systems only: If a COOP or Disaster Recovery Plan is not in place, ensure the DAA has considered and accepted the risk (specifically for lack of COOP) in a Risk Assessment. 2. Check COOP documentation for plan testing, discrepancies noted and if corrective action taken. 3. Conduct a cursory review of the COOP to ensure it is commensurate with the MAC Level of the system concerning recovery times and testing requirement(s). NOTES: 1. Certain large computing centers like the DISA Computing Services (DECCs) may offer COOP as a fee for service option. Since this is applicable to "customer" applications it should not be a finding attributed to the DECC. If appropriate, COOP or lack thereof if cited as a finding in this instance should be attributed to the specific customer. 2. This requirement should not be applied to a tactical environment, unless it is a fixed computer facility supporting operations within a Theater of Operations. The standards to be applied for applicability in a tactical environment are: 1) The facility containing the computer room has been in operation over 1-year. 2) The facility is "fixed facility" - a hard building made from normal construction materials - wood, steel, brick, stone, mortar, etc. |
Fix Text (F-34810r3_fix) |
---|
Continuity of Operations Plans (COOP) must be developed and tested commensurate with Mission Assurance Category (MAC) Level for ALL DISN connected systems to ensure system and data availability in the event of any type of failure. For MAC III systems only: If no COOP is in place ensure the risk has been (specifically) accepted by the responsible DAA in a Risk Assessment. |